1 /* $OpenBSD: tls13_client.c,v 1.13 2019/02/28 17:51:19 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include <openssl/curve25519.h> 21 #include <openssl/ssl3.h> 22 23 #include "bytestring.h" 24 #include "ssl_tlsext.h" 25 #include "tls13_handshake.h" 26 #include "tls13_internal.h" 27 28 int 29 tls13_connect(struct tls13_ctx *ctx) 30 { 31 if (ctx->mode != TLS13_HS_CLIENT) 32 return TLS13_IO_FAILURE; 33 34 return tls13_handshake_perform(ctx); 35 } 36 37 static int 38 tls13_client_init(struct tls13_ctx *ctx) 39 { 40 SSL *s = ctx->ssl; 41 42 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 43 &ctx->hs->max_version)) { 44 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 45 return 0; 46 } 47 s->client_version = s->version = ctx->hs->max_version; 48 49 if (!ssl_get_new_session(s, 0)) /* XXX */ 50 return 0; 51 52 if (!tls1_transcript_init(s)) 53 return 0; 54 55 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 56 57 return 1; 58 } 59 60 int 61 tls13_legacy_connect(SSL *ssl) 62 { 63 struct tls13_ctx *ctx = ssl->internal->tls13; 64 int ret; 65 66 if (ctx == NULL) { 67 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 68 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 69 return -1; 70 } 71 ssl->internal->tls13 = ctx; 72 ctx->ssl = ssl; 73 ctx->hs = &S3I(ssl)->hs_tls13; 74 75 if (!tls13_client_init(ctx)) { 76 if (ERR_peek_error() == 0) 77 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 78 return -1; 79 } 80 } 81 82 S3I(ssl)->hs.state = SSL_ST_CONNECT; 83 84 if ((ret = tls13_connect(ctx)) == TLS13_IO_SUCCESS) 85 S3I(ssl)->hs.state = SSL_ST_OK; 86 87 return tls13_legacy_return_code(ssl, ret); 88 } 89 90 static int 91 tls13_client_hello_build(SSL *s, CBB *cbb) 92 { 93 CBB cipher_suites, compression_methods, session_id; 94 uint8_t *sid; 95 96 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 97 goto err; 98 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) 99 goto err; 100 101 /* Either 32-random bytes or zero length... */ 102 /* XXX - session resumption for TLSv1.2? */ 103 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 104 goto err; 105 if (!CBB_add_space(&session_id, &sid, 32)) 106 goto err; 107 arc4random_buf(sid, 32); 108 109 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) 110 goto err; 111 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { 112 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); 113 goto err; 114 } 115 116 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) 117 goto err; 118 if (!CBB_add_u8(&compression_methods, 0)) 119 goto err; 120 121 if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH)) 122 goto err; 123 124 if (!CBB_flush(cbb)) 125 goto err; 126 127 return 1; 128 129 err: 130 return 0; 131 } 132 133 int 134 tls13_client_hello_send(struct tls13_ctx *ctx) 135 { 136 CBB body; 137 138 if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_CLIENT_HELLO)) 139 return 0; 140 if (!tls13_client_hello_build(ctx->ssl, &body)) 141 return 0; 142 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 143 return 0; 144 145 return 1; 146 } 147 148 /* 149 * HelloRetryRequest hash - RFC 8446 section 4.1.3. 150 */ 151 static const uint8_t tls13_hello_retry_request_hash[] = { 152 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 153 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, 154 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 155 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 156 }; 157 158 static int 159 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) 160 { 161 CBS server_random, session_id; 162 uint16_t cipher_suite, legacy_version; 163 uint8_t compression_method; 164 const SSL_CIPHER *cipher; 165 SSL *s = ctx->ssl; 166 int alert; 167 168 if (!CBS_get_u16(cbs, &legacy_version)) 169 goto err; 170 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) 171 goto err; 172 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 173 goto err; 174 if (!CBS_get_u16(cbs, &cipher_suite)) 175 goto err; 176 if (!CBS_get_u8(cbs, &compression_method)) 177 goto err; 178 179 if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH)) 180 goto err; 181 182 if (CBS_len(cbs) != 0) 183 goto err; 184 185 /* 186 * See if a supported versions extension was returned. If it was then 187 * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3). 188 * Otherwise, fallback to the legacy version, ensuring that it is both 189 * within range and not TLS 1.3 or greater (which must use the 190 * supported version extension. 191 */ 192 if (ctx->hs->server_version != 0) { 193 if (legacy_version != TLS1_2_VERSION) { 194 /* XXX - alert. */ 195 goto err; 196 } 197 } else { 198 if (legacy_version < ctx->hs->min_version || 199 legacy_version > ctx->hs->max_version || 200 legacy_version > TLS1_2_VERSION) { 201 /* XXX - alert. */ 202 goto err; 203 } 204 ctx->hs->server_version = legacy_version; 205 } 206 207 /* XXX - session_id must match. */ 208 209 /* 210 * Ensure that the cipher suite is one that we offered in the client 211 * hello and that it matches the TLS version selected. 212 */ 213 cipher = ssl3_get_cipher_by_value(cipher_suite); 214 if (cipher == NULL || 215 sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) { 216 /* XXX - alert. */ 217 goto err; 218 } 219 if (ctx->hs->server_version == TLS1_3_VERSION && 220 cipher->algorithm_ssl != SSL_TLSV1_3) { 221 /* XXX - alert. */ 222 goto err; 223 } 224 /* XXX - move this to hs_tls13? */ 225 S3I(s)->hs.new_cipher = cipher; 226 227 if (compression_method != 0) { 228 /* XXX - alert. */ 229 goto err; 230 } 231 232 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 233 sizeof(tls13_hello_retry_request_hash))) 234 ctx->handshake_stage.hs_type |= WITH_HRR; 235 236 return 1; 237 238 err: 239 /* XXX - send alert. */ 240 241 return 0; 242 } 243 244 int 245 tls13_server_hello_recv(struct tls13_ctx *ctx) 246 { 247 struct tls13_secrets *secrets; 248 struct tls13_secret context; 249 unsigned char buf[EVP_MAX_MD_SIZE]; 250 uint8_t *shared_key = NULL; 251 size_t hash_len; 252 SSL *s = ctx->ssl; 253 int ret = 0; 254 CBS cbs; 255 256 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 257 goto err; 258 259 if (!tls13_server_hello_process(ctx, &cbs)) 260 goto err; 261 262 if (ctx->hs->server_version < TLS1_3_VERSION) { 263 /* XXX - switch back to legacy client. */ 264 goto err; 265 } 266 267 if (ctx->handshake_stage.hs_type & WITH_HRR) 268 return 1; 269 270 /* XXX - handle other key share types. */ 271 if (ctx->hs->x25519_peer_public == NULL) { 272 /* XXX - alert. */ 273 goto err; 274 } 275 if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL) 276 goto err; 277 if (!X25519(shared_key, ctx->hs->x25519_private, 278 ctx->hs->x25519_peer_public)) 279 goto err; 280 281 s->session->cipher = S3I(s)->hs.new_cipher; 282 s->session->ssl_version = ctx->hs->server_version; 283 284 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 285 goto err; 286 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 287 goto err; 288 289 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 290 goto err; 291 S3I(ctx->ssl)->hs_tls13.secrets = secrets; 292 293 /* XXX - pass in hash. */ 294 if (!tls1_transcript_hash_init(s)) 295 goto err; 296 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 297 goto err; 298 context.data = buf; 299 context.len = hash_len; 300 301 /* Early secrets. */ 302 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 303 secrets->zeros.len, &context)) 304 goto err; 305 306 /* Handshake secrets. */ 307 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 308 X25519_KEY_LENGTH, &context)) 309 goto err; 310 311 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 312 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 313 314 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 315 &secrets->server_handshake_traffic)) 316 goto err; 317 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 318 &secrets->client_handshake_traffic)) 319 goto err; 320 321 ctx->handshake_stage.hs_type |= NEGOTIATED; 322 ret = 1; 323 324 err: 325 freezero(shared_key, X25519_KEY_LENGTH); 326 return ret; 327 } 328 329 int 330 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx) 331 { 332 int alert; 333 CBS cbs; 334 335 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 336 goto err; 337 338 if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE)) 339 goto err; 340 341 if (CBS_len(&cbs) != 0) 342 goto err; 343 344 return 1; 345 346 err: 347 /* XXX - send alert. */ 348 349 return 0; 350 } 351 352 int 353 tls13_server_certificate_request_recv(struct tls13_ctx *ctx) 354 { 355 /* 356 * Thanks to poor state design in the RFC, this function can be called 357 * when we actually have a certificate message instead of a certificate 358 * request... in that case we call the certificate handler after 359 * switching state, to avoid advancing state. 360 */ 361 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { 362 ctx->handshake_stage.hs_type |= WITHOUT_CR; 363 return tls13_server_certificate_recv(ctx); 364 } 365 366 /* XXX - unimplemented. */ 367 368 return 0; 369 } 370 371 int 372 tls13_server_certificate_recv(struct tls13_ctx *ctx) 373 { 374 CBS cbs, cert_request_context, cert_list, cert_data, cert_exts; 375 struct stack_st_X509 *certs = NULL; 376 SSL *s = ctx->ssl; 377 X509 *cert = NULL; 378 EVP_PKEY *pkey; 379 const uint8_t *p; 380 int cert_idx; 381 int ret = 0; 382 383 if ((certs = sk_X509_new_null()) == NULL) 384 goto err; 385 386 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 387 goto err; 388 389 if (!CBS_get_u8_length_prefixed(&cbs, &cert_request_context)) 390 goto err; 391 if (CBS_len(&cert_request_context) != 0) 392 goto err; 393 if (!CBS_get_u24_length_prefixed(&cbs, &cert_list)) 394 goto err; 395 if (CBS_len(&cbs) != 0) 396 goto err; 397 398 while (CBS_len(&cert_list) > 0) { 399 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 400 goto err; 401 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 402 goto err; 403 404 p = CBS_data(&cert_data); 405 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 406 goto err; 407 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 408 goto err; 409 410 if (!sk_X509_push(certs, cert)) 411 goto err; 412 413 cert = NULL; 414 } 415 416 /* 417 * At this stage we still have no proof of possession. As such, it would 418 * be preferable to keep the chain and verify once we have successfully 419 * processed the CertificateVerify message. 420 */ 421 if (ssl_verify_cert_chain(s, certs) <= 0 && 422 s->verify_mode != SSL_VERIFY_NONE) { 423 /* XXX send alert */ 424 goto err; 425 } 426 ERR_clear_error(); 427 428 cert = sk_X509_value(certs, 0); 429 X509_up_ref(cert); 430 431 if ((pkey = X509_get0_pubkey(cert)) == NULL) 432 goto err; 433 if (EVP_PKEY_missing_parameters(pkey)) 434 goto err; 435 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 436 goto err; 437 438 ssl_sess_cert_free(SSI(s)->sess_cert); 439 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 440 goto err; 441 442 SSI(s)->sess_cert->cert_chain = certs; 443 certs = NULL; 444 445 X509_up_ref(cert); 446 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 447 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 448 449 X509_free(s->session->peer); 450 451 X509_up_ref(cert); 452 s->session->peer = cert; 453 s->session->verify_result = s->verify_result; 454 455 ret = 1; 456 457 err: 458 sk_X509_pop_free(certs, X509_free); 459 X509_free(cert); 460 461 return ret; 462 } 463 464 /* 465 * Certificate Verify padding - RFC 8446 section 4.4.3. 466 */ 467 static uint8_t cert_verify_pad[64] = { 468 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 469 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 470 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 471 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 472 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 473 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 474 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 475 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 476 }; 477 478 static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify"; 479 480 int 481 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx) 482 { 483 const struct ssl_sigalg *sigalg; 484 uint16_t signature_scheme; 485 uint8_t *sig_content = NULL; 486 size_t sig_content_len; 487 EVP_MD_CTX *mdctx = NULL; 488 EVP_PKEY_CTX *pctx; 489 EVP_PKEY *pkey; 490 X509 *cert; 491 CBS cbs, signature; 492 CBB cbb; 493 int ret = 0; 494 495 memset(&cbb, 0, sizeof(cbb)); 496 497 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 498 goto err; 499 500 if (!CBS_get_u16(&cbs, &signature_scheme)) 501 goto err; 502 if (!CBS_get_u16_length_prefixed(&cbs, &signature)) 503 goto err; 504 if (CBS_len(&cbs) != 0) 505 goto err; 506 507 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 508 tls13_sigalgs_len)) == NULL) 509 goto err; 510 511 if (!CBB_init(&cbb, 0)) 512 goto err; 513 if (!CBB_add_bytes(&cbb, cert_verify_pad, sizeof(cert_verify_pad))) 514 goto err; 515 if (!CBB_add_bytes(&cbb, server_cert_verify_context, 516 strlen(server_cert_verify_context))) 517 goto err; 518 if (!CBB_add_u8(&cbb, 0)) 519 goto err; 520 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 521 ctx->hs->transcript_hash_len)) 522 goto err; 523 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 524 goto err; 525 526 if ((cert = ctx->ssl->session->peer) == NULL) 527 goto err; 528 if ((pkey = X509_get0_pubkey(cert)) == NULL) 529 goto err; 530 if (!ssl_sigalg_pkey_ok(sigalg, pkey)) 531 goto err; 532 533 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 534 goto err; 535 536 if ((mdctx = EVP_MD_CTX_new()) == NULL) 537 goto err; 538 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 539 goto err; 540 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 541 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 542 goto err; 543 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 544 goto err; 545 } 546 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) 547 goto err; 548 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 549 CBS_len(&signature)) <= 0) { 550 /* XXX - send alert. */ 551 goto err; 552 } 553 554 ret = 1; 555 556 err: 557 CBB_cleanup(&cbb); 558 EVP_MD_CTX_free(mdctx); 559 free(sig_content); 560 561 return ret; 562 } 563 564 int 565 tls13_server_finished_recv(struct tls13_ctx *ctx) 566 { 567 struct tls13_secrets *secrets = ctx->hs->secrets; 568 struct tls13_secret context = { .data = "", .len = 0 }; 569 struct tls13_secret finished_key; 570 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 571 size_t transcript_hash_len; 572 uint8_t *verify_data = NULL; 573 size_t verify_data_len; 574 uint8_t key[EVP_MAX_MD_SIZE]; 575 HMAC_CTX *hmac_ctx = NULL; 576 unsigned int hlen; 577 int ret = 0; 578 CBS cbs; 579 580 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 581 goto err; 582 583 /* 584 * Verify server finished. 585 */ 586 finished_key.data = key; 587 finished_key.len = EVP_MD_size(ctx->hash); 588 589 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 590 &secrets->server_handshake_traffic, "finished", 591 &context)) 592 goto err; 593 594 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 595 goto err; 596 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 597 ctx->hash, NULL)) 598 goto err; 599 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 600 ctx->hs->transcript_hash_len)) 601 goto err; 602 verify_data_len = HMAC_size(hmac_ctx); 603 if ((verify_data = calloc(1, verify_data_len)) == NULL) 604 goto err; 605 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 606 goto err; 607 if (hlen != verify_data_len) 608 goto err; 609 610 if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) { 611 /* XXX - send alert. */ 612 goto err; 613 } 614 615 /* 616 * Derive application traffic keys. 617 */ 618 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 619 sizeof(transcript_hash), &transcript_hash_len)) 620 goto err; 621 622 context.data = transcript_hash; 623 context.len = transcript_hash_len; 624 625 if (!tls13_derive_application_secrets(secrets, &context)) 626 goto err; 627 628 /* 629 * Any records following the server finished message must be encrypted 630 * using the server application traffic keys. 631 */ 632 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 633 &secrets->server_application_traffic)) 634 goto err; 635 636 ret = 1; 637 638 err: 639 HMAC_CTX_free(hmac_ctx); 640 free(verify_data); 641 642 return ret; 643 } 644 645 int 646 tls13_client_finished_send(struct tls13_ctx *ctx) 647 { 648 struct tls13_secrets *secrets = ctx->hs->secrets; 649 struct tls13_secret context = { .data = "", .len = 0 }; 650 struct tls13_secret finished_key; 651 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 652 size_t transcript_hash_len; 653 uint8_t key[EVP_MAX_MD_SIZE]; 654 uint8_t *verify_data; 655 size_t hmac_len; 656 unsigned int hlen; 657 HMAC_CTX *hmac_ctx = NULL; 658 int ret = 0; 659 CBB body; 660 661 finished_key.data = key; 662 finished_key.len = EVP_MD_size(ctx->hash); 663 664 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 665 &secrets->client_handshake_traffic, "finished", 666 &context)) 667 goto err; 668 669 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 670 sizeof(transcript_hash), &transcript_hash_len)) 671 goto err; 672 673 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 674 goto err; 675 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 676 ctx->hash, NULL)) 677 goto err; 678 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 679 goto err; 680 681 if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED)) 682 goto err; 683 hmac_len = HMAC_size(hmac_ctx); 684 if (!CBB_add_space(&body, &verify_data, hmac_len)) 685 goto err; 686 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 687 goto err; 688 if (hlen != hmac_len) 689 goto err; 690 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 691 goto err; 692 693 ret = 1; 694 695 err: 696 HMAC_CTX_free(hmac_ctx); 697 698 return ret; 699 } 700 701 int 702 tls13_client_finished_sent(struct tls13_ctx *ctx) 703 { 704 struct tls13_secrets *secrets = ctx->hs->secrets; 705 706 /* 707 * Any records following the client finished message must be encrypted 708 * using the client application traffic keys. 709 */ 710 return tls13_record_layer_set_write_traffic_key(ctx->rl, 711 &secrets->client_application_traffic); 712 } 713